Privacy Policy

Last updated: March 23, 2026

1. Introduction

SR&ED Copilot (“we”, “our”, or “us”), provides SR&ED documentation preparation services (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using our Service, you consent to the data practices described in this policy. For details on our security measures and data handling practices, see our Security & Data Handling page.

2. Information We Collect

2.1 Account Information

Information you provide when registering and using the Service:

  • Name, email address, organization name
  • Payment information (processed by Stripe; we do not store card numbers)
  • Project information (project names, descriptions, fiscal year data)
  • Communications with us (support requests, feedback)

2.2 Evidence and Project Data

Data you provide or authorize us to collect for SR&ED documentation:

  • Manual evidence entries (descriptions, dates, tags, author attribution)
  • Data from connected integrations (Git commits, Jira issues, Slack messages) when you authorize access
  • Expenditure records (amounts, categories, personnel, time periods)
  • AI-generated narrative drafts and your edits to them
  • Eligibility assessment responses and compliance check results

2.3 Automatically Collected Information

  • Log data (IP address, browser type, pages visited)
  • Usage data (features used, session duration)
  • Device information (device type, operating system)

3. How We Use Your Information

We use your information to:

  • Provide, maintain, and improve the Service
  • Process your transactions and manage your subscription
  • Generate T661 narrative drafts using AI (your evidence is sent to AI providers for generation only)
  • Detect evidence gaps and assess claim readiness
  • Calculate expenditure summaries and ITC estimates
  • Send technical notices, updates, and support messages
  • Respond to your questions and support requests
  • Detect, prevent, and address technical issues and fraud
  • Comply with legal obligations

AI Data Use

When you generate narratives, selected evidence is sent to our AI providers (Anthropic, OpenAI, or Cohere depending on your configuration). We do not use your data to train AI models. AI providers process your data according to their respective privacy policies and data processing agreements.

4. Data Storage and Security

For comprehensive details on our security measures, encryption practices, and infrastructure, see our Security & Data Handling page.

Summary:

  • Data encrypted in transit (TLS) and at rest (hosting platform encryption)
  • OAuth integration tokens encrypted in our database
  • Role-based access controls (owner, accountant, member)
  • Audit logging of sensitive operations
  • Canadian data residency is a goal, not a current guarantee

5. Data Retention

Retention periods are configurable per your subscription plan, aligned with CRA requirements:

  • Evidence items: 12-84 months depending on plan (CRA recommends 6+ years for SR&ED records)
  • Project data: Retained for the life of your account or 7 years, whichever is longer
  • AI-generated narratives: Retained until you delete them or close your account
  • Account data: Retained until account deletion is requested
  • Audit logs: Retained for 2 years
  • Backups: Retained for 30 days after deletion from primary storage

6. Sharing Your Information

We share your information only with:

  • AI Providers: Anthropic, OpenAI, and/or Cohere receive selected evidence during narrative generation only. No data is shared for model training.
  • Payment Processor: Stripe is configured for payment processing (not yet active during early access). We do not store card numbers.
  • Hosting Provider: Our infrastructure provider hosts your data.
  • Team Members: Other users in your organization based on role permissions.
  • Legal Requirements: When required by law, court order, or government request.
  • Business Transfers: In connection with a merger, acquisition, or sale of assets (with 30 days advance notice).

We do NOT sell your personal information or data to third parties.

7. Your Rights

You have the right to:

  • Access and review your account information and stored data
  • Export your data (evidence, narratives, expenditures) in standard formats
  • Delete your account and request erasure of associated data
  • Disconnect integrations and revoke OAuth access at any time
  • Opt out of non-essential communications
  • Request correction of inaccurate data
  • Request a summary of what data we hold about you

To exercise these rights, contact us at privacy@sredcopilot.ca.

8. Third-Party Integrations

When you connect GitHub, Jira, or Slack, you authorize us to access specific data from those services for the purpose of evidence collection. We access only the scopes you approve during OAuth authorization. You can disconnect integrations at any time from your settings, which revokes our access.

Third-party services are governed by their own privacy policies. We are not responsible for their data practices.

9. Children's Privacy

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 14 days before they take effect. Your continued use after the effective date constitutes acceptance.

11. Compliance

This Privacy Policy is designed with the principles of the Personal Information Protection and Electronic Documents Act (PIPEDA) in mind. We do not claim formal PIPEDA compliance certification at this time. If you have questions about our data practices, contact us.

12. Contact Us

For questions about this Privacy Policy:

  • Email: privacy@sredcopilot.ca

See also: our Terms of Service and Security & Data Handling page.